GenAI providers
Ce contenu n’est pas encore disponible dans votre langue.
Cortex can store and manage API credentials for GenAI providers. This lets agents and backend services access LLM capabilities through Cortex-managed keys instead of passing credentials in every request.
Supported providers
Section titled “Supported providers”| Provider | Key format | Default model | Fast model | Quality model | Status |
|---|---|---|---|---|---|
| Google Gemini | AIza... | gemini-2.5-pro | gemini-2.5-flash | gemini-2.5-pro | Production |
| OpenAI | sk-... | gpt-4o | gpt-4o-mini | gpt-4o | Production |
| Anthropic Claude | sk-ant-... | claude-sonnet-4-6 | claude-haiku-4-5 | claude-opus-4-7 | Production |
Each provider supports three model tiers: default (general purpose), fast (low latency, lower cost) and quality (highest capability). You can also configure additional custom model slots.
Configure a provider
Section titled “Configure a provider”From the web UI, go to My Account > Providers.
- Select the provider you want to configure
- Paste your API key
- Choose models for the default, fast and quality tiers
- Click Save
- Optionally, click Test to verify the connection without consuming tokens
You can configure credentials for all three providers simultaneously. Each configuration is scoped to an owner (the authenticated user).
The REST API equivalent is PUT /api/account/providers/:provider with a JSON body containing apiKey and models.
Key security
Section titled “Key security”| Guarantee | Mechanism |
|---|---|
| Keys encrypted at rest | AES-256-GCM with per-key unique IV |
| Encryption key required | ENCRYPTION_KEY env var (base64-encoded 32-byte key) |
| Tampering detection | GCM authentication tag — any bit flip produces a visible error |
| Keys never returned in cleartext | The API and UI only show a masked version (AIza••••••••Xy9z) |
| Keys never logged | The decrypted key is used server-side only, never serialized to logs or responses |
| Connection test is non-destructive | Test pings the provider’s model listing endpoint, consuming zero tokens |
Keys are stored in PostgreSQL (the provider_credentials table). The ciphertext, IV and authentication tag are stored separately. The encryption key itself is an environment variable managed by your deployment, not by Cortex.
What Cortex does not do
Section titled “What Cortex does not do”- Cortex does not proxy LLM requests. It stores credentials; the consuming application retrieves the decrypted key server-side and calls the provider directly.
- Cortex does not impose a provider. Provider configuration is optional. You can run Cortex without any provider credentials configured — the catalogue, memory and governance features work independently.
- Cortex does not track provider usage or costs. Cost management is your provider’s responsibility.
What next?
Section titled “What next?”- Understand the two API surfaces: 06-rest-and-mcp
- Check the security posture: 07-security-and-data